Last active
February 27, 2023 22:46
-
-
Save cweiland/67242be30fb5a3c04f1183b1147dee02 to your computer and use it in GitHub Desktop.
Generate SSL certificates using freeipa
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apt update | |
apt upgrade -y | |
apt install -y chrony sudo vim bash-completion | |
sed -i 's/DAEMON_OPTS="-F 1"/DAEMON_OPTS="-F 1 -x"/' /etc/default/chrony | |
touch /etc/.pve-ignore.hostname | |
hostname -f > /etc/hostname | |
echo "deb http://deb.debian.org/debian/ bullseye-backports main contrib non-free" > /etc/apt/sources.list.d/debian_11_backports.list | |
apt update | |
reboot | |
apt install -y freeipa-client | |
ipa-client-install --no-ntp --ssh-trust-dns --mkhomedir --configure | |
kinit admin #or any user with enough privileges | |
cat <<EOF > /usr/local/sbin/set-ssl-permissions | |
#!/bin/bash | |
chown mysql.mysql /etc/mysql/certificates/{cert.key,cert.pem} | |
chmod 0400 chown mysql.mysql /etc/mysql/certificates/{cert.key,cert.pem} | |
openssl rsa -in /etc/mysql/certificates/cert.key -out /etc/mysql/certificates/cert.key | |
EOF | |
chmod a+x /usr/local/sbin/set-ssl-permissions | |
mkdir -p /etc/mysql/certificates/BACKUP/orig/ | |
mv /etc/mysql/certificates/*.key /etc/mysql/certificates/BACKUP/orig/ | |
mv /etc/mysql/certificates/*.pem /etc/mysql/certificates/BACKUP/orig/ | |
sed -i 's/ssl-ca = \/etc\/mysql\/certificates\/ca\.pem/#ssl-ca = \/etc\/mysql\/certificates\/ca.pem/' /etc/mysql/mariadb.conf.d/50-server.cnf | |
sed -i 's/#require-secure-transport = on/require-secure-transport = on/' /etc/mysql/mariadb.conf.d/50-server.cnf | |
sed -i '/require-secure-transport = on/a tls_version = TLSv1.3' /etc/mysql/mariadb.conf.d/50-server.cnf | |
ipa-getcert request -K mysql/`hostname -f`@`hostname -d|tr '[:lower:]' '[:upper:]'` -k /etc/mysql/certificates/cert.key -f /etc/mysql/certificates/cert.pem -I mariadb -C /usr/local/sbin/set-ssl-permissions | |
ipa-getcert list | |
systemctl restart mysql |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment